{"id":1808,"date":"2025-10-15T11:15:35","date_gmt":"2025-10-15T11:15:35","guid":{"rendered":"https:\/\/www.dioda.ro\/blog\/?p=1808"},"modified":"2025-10-15T11:15:38","modified_gmt":"2025-10-15T11:15:38","slug":"dispozitivele-tuya-iti-compromit-reteaua-cum-te-protejezi-real-de-atacuri-iot","status":"publish","type":"post","link":"https:\/\/www.dioda.ro\/blog\/electronica\/dispozitivele-tuya-iti-compromit-reteaua-cum-te-protejezi-real-de-atacuri-iot\/","title":{"rendered":"Dispozitivele TUYA \u00ee\u021bi compromit re\u021beaua? Cum te protejezi REAL de atacuri IoT"},"content":{"rendered":"\n<p><strong>Mul\u021bi utilizatori ezit\u0103 s\u0103 instaleze dispozitive smart TUYA de teama c\u0103 &#8220;dau acces Chinei la re\u021beaua lor intern\u0103&#8221;. Realitatea e mai nuan\u021bat\u0103: riscurile IoT exist\u0103 indiferent de produc\u0103tor, iar protec\u021bia eficient\u0103 \u021bine de configurarea corect\u0103 a re\u021belei tale. \u00cen acest articol \u00ee\u021bi ar\u0103t exact cum pot fi abuzate aceste dispozitive \u0219i, mai important, cum s\u0103 te protejezi.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">De ce se teme lumea de dispozitivele TUYA?<\/h2>\n\n\n\n<p>\u00cengrijor\u0103rile sunt legitime, dar adesea exagerate sau prost \u00een\u021belese:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 <strong>Adev\u0103rat<\/strong>: Multe IoT comunic\u0103 cu servere cloud din China\/Asia<\/li>\n\n\n\n<li>\u2705 <strong>Adev\u0103rat<\/strong>: Firmware-ul poate avea vulnerabilit\u0103\u021bi<\/li>\n\n\n\n<li>\u274c <strong>Fals<\/strong>: &#8220;Instal\u00e2nd o priz\u0103 smart, hackerii chinezi v\u0103d tot ce fac pe laptop&#8221;<\/li>\n\n\n\n<li>\u274c <strong>Fals<\/strong>: &#8220;Nu exist\u0103 protec\u021bie, trebuie s\u0103 renun\u021b la smart home&#8221;<\/li>\n<\/ul>\n\n\n\n<p><strong>Realitatea<\/strong>: Securitatea depinde 90% de configurarea re\u021belei tale, nu de \u021bara produc\u0103torului.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Cum poate un atacator s\u0103 abuzeze un dispozitiv IoT compromis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Scenariul 1: Dispozitivul IoT ca &#8220;PIVOT&#8221; \u00een re\u021beaua ta<\/h3>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.dioda.ro\/blog\/wp-content\/uploads\/2025\/10\/a93e0c81-cac7-4b14-90d6-bb0e00e38b36.jpg\" alt=\"Diagrama pivot attack\"\/><\/figure>\n\n\n\n<p><strong>Ce \u00eenseamn\u0103 &#8220;pivot&#8221;?<\/strong> Un dispozitiv compromis devine punct de sprijin pentru a ataca alte device-uri din re\u021bea.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Pa\u0219ii unui atac pivot:<\/h4>\n\n\n\n<p><strong>Pasul 1: Compromiterea ini\u021bial\u0103<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Atacatorul exploateaz\u0103 o vulnerabilitate \u00een firmware-ul unei prize smart TUYA<\/li>\n\n\n\n<li>Metode comune: parole implicite, bug-uri \u00een interfa\u021ba web local\u0103, exploit-uri publice pentru versiuni vechi<\/li>\n<\/ul>\n\n\n\n<p><strong>Pasul 2: Scanarea re\u021belei interne (LAN)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dispozitivul compromis \u00eencepe s\u0103 &#8220;vad\u0103&#8221; ce alte device-uri exist\u0103 \u00een re\u021bea<\/li>\n\n\n\n<li>Scaneaz\u0103 IP-uri (192.168.1.1-254), porturile deschise, serviciile active<\/li>\n\n\n\n<li>Identific\u0103: laptopuri, NAS-uri, camere, routere, imprimante<\/li>\n<\/ul>\n\n\n\n<p><strong>Pasul 3: Descoperirea \u021bintelor valoroase<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>G\u0103se\u0219te un NAS cu partajare SMB f\u0103r\u0103 parol\u0103<\/li>\n\n\n\n<li>Identific\u0103 un laptop cu Remote Desktop activat \u0219i parol\u0103 slab\u0103<\/li>\n\n\n\n<li>Descoper\u0103 camere IP cu interfa\u021b\u0103 web pe port 80 \u0219i admin\/admin<\/li>\n<\/ul>\n\n\n\n<p><strong>Pasul 4: Mi\u0219care lateral\u0103 \u0219i exfiltrare<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Atacatorul se conecteaz\u0103 la NAS-ul descoperit \u0219i extrage documente, poze, backup-uri<\/li>\n\n\n\n<li>Acceseaz\u0103 feed-ul camerelor de supraveghere<\/li>\n\n\n\n<li>Instaleaz\u0103 malware persistent pe laptop<\/li>\n\n\n\n<li>Exfiltreaz\u0103 datele prin trafic HTTPS aparent normal<\/li>\n<\/ul>\n\n\n\n<p><strong>De ce func\u021bioneaz\u0103?<\/strong> Majoritatea routerelor casnice permit comunica\u021bie liber\u0103 \u00eentre toate dispozitivele din LAN. Priza ta smart &#8220;vede&#8221; laptopul, NAS-ul, telefonul \u2013 toate \u00een aceea\u0219i re\u021bea plat\u0103.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Scenariul 2: Cele 6 amenin\u021b\u0103ri majore IoT<\/h3>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.dioda.ro\/blog\/wp-content\/uploads\/2025\/10\/bc4a09eb-9374-47d8-b4a7-93d745c0d8bc.jpg\" alt=\"Vectori de atac IoT\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">1. <strong>Botnet \u0219i atacuri DDoS<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dispozitivele compromise sunt recrutate \u00een re\u021bele botnet (ex. Mirai)<\/li>\n\n\n\n<li>Lanseaz\u0103 atacuri DDoS c\u0103tre alte \u021binte pe internet<\/li>\n\n\n\n<li><strong>Impact pentru tine<\/strong>: consum de band\u0103, posibile bloc\u0103ri de la ISP, conexiunea ta devine &#8220;complice&#8221;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">2. <strong>Exfiltrarea datelor (Data Exfiltration)<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fi\u0219iere de pe NAS, backup-uri, poze personale<\/li>\n\n\n\n<li>Capturi de trafic din re\u021bea (parole, sesiuni)<\/li>\n\n\n\n<li>Transmise prin HTTPS c\u0103tre servere externe, greu de detectat<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">3. <strong>Spionaj \u0219i supraveghere<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Acces la feed-uri video\/audio de la camere \u0219i microfoane<\/li>\n\n\n\n<li>Telemetrie excesiv\u0103: c\u00e2nd e\u0219ti acas\u0103, rutine zilnice, consumuri<\/li>\n\n\n\n<li>Corel\u0103ri: chiar \u0219i prizele tr\u0103deaz\u0103 prezen\u021ba prin tiparele de utilizare<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">4. <strong>Mi\u0219care lateral\u0103 (Lateral Movement)<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>De la IoT compromis \u2192 alte IoT \u2192 dispozitive personale<\/li>\n\n\n\n<li>Exploatarea serviciilor nesecurizate: SMB, RDP, SSH cu parole slabe<\/li>\n\n\n\n<li>Persisten\u021b\u0103: infectarea mai multor device-uri pentru supravie\u021buire<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">5. <strong>Abuz de control remote<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Comenzi neautorizate: lumini, prize, termostate, \u00eencuietori smart<\/li>\n\n\n\n<li>Scenarii de disconfort sau costuri (ex. aer condi\u021bionat pornit continuu)<\/li>\n\n\n\n<li>&#8220;Brick-uire&#8221;: update-uri mali\u021bioase care distrug func\u021bionalitatea<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">6. <strong>Riscuri supply chain \u0219i backend<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vulnerabilit\u0103\u021bi \u00een cloud-ul produc\u0103torului (nu doar TUYA, orice brand)<\/li>\n\n\n\n<li>Operatori r\u0103u inten\u021biona\u021bi sau achizi\u021bii corporative care schimb\u0103 politica de date<\/li>\n\n\n\n<li>Schimb\u0103ri de termeni \u0219i condi\u021bii care extind colectarea de date<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Protec\u021bia REAL\u0102: Arhitectura de securitate \u00een straturi<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.dioda.ro\/blog\/wp-content\/uploads\/2025\/10\/e5172db8-e2e3-4340-b9b2-7f175f3896d8.jpg\" alt=\"Compara\u021bie re\u021bea vulnerabil\u0103 vs securizat\u0103\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Stratul 1: SEGMENTAREA RE\u021aELEI (cea mai important\u0103 m\u0103sur\u0103!)<\/h3>\n\n\n\n<p><strong>Principiu<\/strong>: Izoleaz\u0103 complet IoT de dispozitivele personale.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Op\u021biunea A: VLAN dedicat IoT (recomandat)<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>VLAN 10 (LAN Principal): Laptop, PC, telefon personal, NAS  \nVLAN 30 (IoT): Prize TUYA, camere, becuri, senzori  \nVLAN 99 (Guest): Vizitatori  \n<\/code><\/pre>\n\n\n\n<p><strong>Routere compatibile<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ubiquiti UniFi (Dream Machine, USG)<\/li>\n\n\n\n<li>MikroTik (hEX, RB series)<\/li>\n\n\n\n<li>TP-Link Omada<\/li>\n\n\n\n<li>ASUS (modele ROG\/RT-AX cu VLAN support)<\/li>\n\n\n\n<li>pfSense\/OPNsense (DIY)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Op\u021biunea B: SSID Wi-Fi separat (pentru routere SOHO)<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>SSID: \"Casa\" \u2192 dispozitive personale  \nSSID: \"Casa_IoT\" \u2192 doar dispozitive smart  \n<\/code><\/pre>\n\n\n\n<p><strong>Set\u0103ri obligatorii<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 <strong>AP Isolation \/ Client Isolation<\/strong>: ON (dispozitivele IoT nu se v\u0103d \u00eentre ele)<\/li>\n\n\n\n<li>\u2705 <strong>Access Intranet<\/strong>: OFF \/ <strong>Block LAN Access<\/strong>: ON<\/li>\n\n\n\n<li>\u2705 <strong>Guest Network<\/strong>: folose\u0219te func\u021bia de Guest pentru IoT<\/li>\n<\/ul>\n\n\n\n<p><strong>Routere cu func\u021bia asta<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ASUS: &#8220;Access Intranet&#8221; \u00een Guest Network<\/li>\n\n\n\n<li>TP-Link: &#8220;Allow guests to access my local network&#8221; \u2192 OFF<\/li>\n\n\n\n<li>UniFi: &#8220;Guest Policies&#8221; \u2192 Block LAN<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Stratul 2: REGULI DE FIREWALL<\/h3>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.dioda.ro\/blog\/wp-content\/uploads\/2025\/10\/f856a5fa-cea4-4deb-8edc-c6786d016293.jpg\" alt=\"Configurare firewall pentru IoT\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Regula 1: IoT \u2192 LAN = DENY ALL \u274c<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>Surs\u0103: VLAN_IoT (192.168.30.0\/24)  \nDestina\u021bie: VLAN_LAN (192.168.10.0\/24)  \nAc\u021biune: REJECT\/DROP  \n<\/code><\/pre>\n\n\n\n<p><strong>Efect<\/strong>: Priza compromis\u0103 NU poate vedea\/ataca laptopul sau NAS-ul.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Regula 2: LAN \u2192 IoT = ALLOW SELECTIV \u2705<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>Surs\u0103: Telefonul t\u0103u (192.168.10.50)  \nDestina\u021bie: VLAN_IoT (192.168.30.0\/24)  \nPorturi: Any (pentru control din aplica\u021bie)  \nAc\u021biune: ALLOW  \n<\/code><\/pre>\n\n\n\n<p><strong>Efect<\/strong>: Tu po\u021bi controla camerele\/prizele din telefon, dar IoT nu poate ini\u021biaz\u0103 conexiuni c\u0103tre tine.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Regula 3: IoT \u2192 Internet = ALLOW 80\/443 DOAR \u26a0\ufe0f<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>Surs\u0103: VLAN_IoT  \nDestina\u021bie: Internet (any)  \nPorturi: TCP 80, 443 (HTTP\/HTTPS)  \nAc\u021biune: ALLOW  \n  \nSurs\u0103: VLAN_IoT  \nDestina\u021bie: Internet (any)  \nPorturi: Any other  \nAc\u021biune: DENY  \n<\/code><\/pre>\n\n\n\n<p><strong>Efect<\/strong>: Dispozitivele pot comunica cu cloud-ul TUYA pentru func\u021bionalitate, dar nu pot participa la botnet-uri pe alte porturi.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Regula 4: IoT \u2192 Router Management = DENY \u274c<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>Surs\u0103: VLAN_IoT  \nDestina\u021bie: IP_Router (192.168.1.1)  \nPorturi: 80, 443, 22, 23, 8291 (web, SSH, Telnet, Winbox)  \nAc\u021biune: DENY  \n<\/code><\/pre>\n\n\n\n<p><strong>Efect<\/strong>: Chiar dac\u0103 IoT e compromis, nu poate ataca interfa\u021ba de administrare a routerului.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Stratul 3: CONTROLUL TRAFICULUI C\u0102TRE CLOUD<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">DNS Filtering cu Pi-hole sau AdGuard Home<\/h4>\n\n\n\n<p><strong>Setup<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Instaleaz\u0103 Pi-hole pe Raspberry Pi sau VM<\/li>\n\n\n\n<li>Seteaz\u0103 Pi-hole ca DNS server pentru VLAN IoT<\/li>\n\n\n\n<li>Blocheaz\u0103 domenii de tracking excesiv, dar testeaz\u0103 func\u021bionalitatea<\/li>\n<\/ol>\n\n\n\n<p><strong>Beneficii<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vezi exact c\u0103tre ce domenii &#8220;vorbesc&#8221; dispozitivele<\/li>\n\n\n\n<li>Blochezi telemetrie inutil\u0103<\/li>\n\n\n\n<li>Detectezi comportament suspect (conexiuni c\u0103tre domenii noi\/ciudate)<\/li>\n<\/ul>\n\n\n\n<p><strong>Exemplu log Pi-hole<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tuya-eu.com \u2192 ALLOWED (necesar pentru func\u021bionalitate)  \nanalytics.tuya.com \u2192 BLOCKED (telemetrie)  \nads.tuya-inc.com \u2192 BLOCKED (publicitate)  \nsuspicious-domain.ru \u2192 BLOCKED + ALERT\u0102  \n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Rate Limiting<\/h4>\n\n\n\n<p>Limiteaz\u0103 band\u0103\/num\u0103r conexiuni pentru VLAN IoT:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Max 5 Mbps upload pentru IoT<\/li>\n\n\n\n<li>Max 100 conexiuni simultane<\/li>\n\n\n\n<li><strong>Efect<\/strong>: Reduce exfiltrarea masiv\u0103 de date<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Stratul 4: ELIMINAREA SUPRAFE\u021aELOR DE ATAC<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Dezactiveaz\u0103 protocoale periculoase:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u274c <strong>UPnP<\/strong> (Universal Plug and Play) \u2192 deschide porturi automat, f\u0103r\u0103 aprobare<\/li>\n\n\n\n<li>\u274c <strong>WPS<\/strong> (Wi-Fi Protected Setup) \u2192 vulnerabil la brute-force PIN<\/li>\n\n\n\n<li>\u274c <strong>Remote Management<\/strong> din internet \u2192 interfa\u021ba routerului accesibil\u0103 din WAN<\/li>\n\n\n\n<li>\u274c <strong>Telnet\/HTTP<\/strong> pe router \u2192 folose\u0219te doar SSH\/HTTPS<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Parole \u0219i autentificare:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 Parole unice pentru:\n<ul class=\"wp-block-list\">\n<li>Cont TUYA\/Smart Life (activeaz\u0103 <strong>2FA<\/strong>)<\/li>\n\n\n\n<li>Router (admin)<\/li>\n\n\n\n<li>Wi-Fi (separat pentru LAN \u0219i IoT)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\u2705 Schimb\u0103 parolele implicite ale dispozitivelor IoT (unde e posibil)<\/li>\n\n\n\n<li>\u2705 Folose\u0219te un password manager (Bitwarden, 1Password)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Stratul 5: MONITORIZARE \u0218I DETECTARE<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Ce s\u0103 monitorizezi:<\/h4>\n\n\n\n<p><strong>1. Log-uri DNS (Pi-hole\/AdGuard)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Top domenii accesate<\/li>\n\n\n\n<li>Domenii blocate<\/li>\n\n\n\n<li>Spike-uri de query-uri (posibil malware)<\/li>\n<\/ul>\n\n\n\n<p><strong>2. Log-uri Firewall<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conexiuni blocate IoT \u2192 LAN (tentative de pivot)<\/li>\n\n\n\n<li>Conexiuni pe porturi neobi\u0219nuite<\/li>\n\n\n\n<li>Volum mare de trafic<\/li>\n<\/ul>\n\n\n\n<p><strong>3. NetFlow\/sFlow (dac\u0103 routerul suport\u0103)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Top destina\u021bii IP<\/li>\n\n\n\n<li>Bandwidth per dispozitiv<\/li>\n\n\n\n<li>Protocoale folosite<\/li>\n<\/ul>\n\n\n\n<p><strong>4. IDS\/IPS (Suricata pe pfSense\/OPNsense)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detectare pattern-uri de atac<\/li>\n\n\n\n<li>Alerte pentru exploit-uri cunoscute<\/li>\n\n\n\n<li>Scan\u0103ri de porturi<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Praguri de alertare:<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trafic IoT > 10 MB\/zi c\u0103tre o singur\u0103 destina\u021bie<\/li>\n\n\n\n<li>Conexiuni c\u0103tre IP-uri din \u021b\u0103ri nea\u0219teptate<\/li>\n\n\n\n<li>Tentative de conexiune IoT \u2192 LAN<\/li>\n\n\n\n<li>Domenii DNS noi, nesolicitate<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Solu\u021bia AVANSAT\u0102: Control local cu Home Assistant<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">De ce control local?<\/h3>\n\n\n\n<p><strong>Avantaje<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 Comenzi func\u021bioneaz\u0103 f\u0103r\u0103 internet<\/li>\n\n\n\n<li>\u2705 Datele r\u0103m\u00e2n \u00een LAN<\/li>\n\n\n\n<li>\u2705 Po\u021bi bloca complet IoT \u2192 Internet<\/li>\n\n\n\n<li>\u2705 Automatiz\u0103ri complexe, f\u0103r\u0103 cloud<\/li>\n\n\n\n<li>\u2705 Independen\u021b\u0103 de produc\u0103tor<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Op\u021biuni de implementare:<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Op\u021biunea 1: Home Assistant + Integrare TUYA oficial\u0103<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Necesit\u0103 cont cloud TUYA (compromis)<\/li>\n\n\n\n<li>Comenzi locale par\u021biale (depinde de device)<\/li>\n\n\n\n<li>Setup rapid, f\u0103r\u0103 modific\u0103ri hardware<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Op\u021biunea 2: Reflash cu firmware local (Tasmota\/ESPHome)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Aten\u021bie<\/strong>: Anuleaz\u0103 garan\u021bia, necesit\u0103 cuno\u0219tin\u021be tehnice<\/li>\n\n\n\n<li>Unele dispozitive TUYA au chip-uri ESP8266\/ESP32 reflash-uibile<\/li>\n\n\n\n<li>Control 100% local, zero cloud<\/li>\n\n\n\n<li>Resurse: <a href=\"https:\/\/templates.blakadder.com\" target=\"_blank\" rel=\"noreferrer noopener\">templates.blakadder.com<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Op\u021biunea 3: Migrare c\u0103tre Zigbee\/Z-Wave<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hub local: Zigbee2MQTT + Home Assistant<\/li>\n\n\n\n<li>Dispozitive Zigbee (multe &#8220;TUYA-like&#8221; sunt de fapt Zigbee rebranded)<\/li>\n\n\n\n<li>Protocol local, f\u0103r\u0103 internet necesar<\/li>\n\n\n\n<li>Mai sigur dec\u00e2t Wi-Fi cloud-only<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Op\u021biunea 4: Matter\/Thread (viitorul)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standard nou, interoperabil, control local<\/li>\n\n\n\n<li>Suport \u00een cre\u0219tere (2024-2025)<\/li>\n\n\n\n<li>Recomandabil pentru achizi\u021bii noi<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Checklist de implementare (pas cu pas)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Nivel 1: MINIM OBLIGATORIU (30 minute)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creeaz\u0103 SSID separat &#8220;Casa_IoT&#8221; cu <strong>AP Isolation ON<\/strong><\/li>\n\n\n\n<li>Seteaz\u0103 <strong>Access Intranet: OFF<\/strong> \/ <strong>Block LAN: ON<\/strong><\/li>\n\n\n\n<li>Dezactiveaz\u0103 <strong>UPnP<\/strong> \u0219i <strong>WPS<\/strong> pe router<\/li>\n\n\n\n<li>Schimb\u0103 parola routerului \u0219i activeaz\u0103 <strong>2FA pe cont TUYA<\/strong><\/li>\n\n\n\n<li>Verific\u0103 c\u0103 nu ai <strong>port forwarding<\/strong> c\u0103tre dispozitive IoT<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nivel 2: RECOMANDAT (2-3 ore)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configureaz\u0103 <strong>VLAN dedicat IoT<\/strong> (dac\u0103 routerul suport\u0103)<\/li>\n\n\n\n<li>Implementeaz\u0103 <strong>reguli firewall<\/strong>: IoT \u2192 LAN = DENY<\/li>\n\n\n\n<li>Instaleaz\u0103 <strong>Pi-hole\/AdGuard<\/strong> pentru DNS filtering<\/li>\n\n\n\n<li>Seteaz\u0103 <strong>DHCP reservations<\/strong> pentru dispozitive IoT (IP-uri fixe)<\/li>\n\n\n\n<li>Activeaz\u0103 <strong>logging<\/strong> pe firewall \u0219i verific\u0103 s\u0103pt\u0103m\u00e2nal<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nivel 3: AVANSAT (1-2 zile)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Instaleaz\u0103 <strong>Home Assistant<\/strong> pe Raspberry Pi\/VM<\/li>\n\n\n\n<li>Configureaz\u0103 <strong>IDS\/IPS<\/strong> (Suricata) pe VLAN IoT<\/li>\n\n\n\n<li>Implementeaz\u0103 <strong>rate limiting<\/strong> pentru IoT<\/li>\n\n\n\n<li>Seteaz\u0103 <strong>alerte automate<\/strong> pentru trafic suspect<\/li>\n\n\n\n<li>Migreaz\u0103 dispozitive critice c\u0103tre <strong>Zigbee\/Z-Wave local<\/strong><\/li>\n\n\n\n<li>Configureaz\u0103 <strong>VPN<\/strong> (WireGuard) pentru acces remote securizat<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nivel 4: PARANOIA (proiecte pe termen lung)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reflash dispozitive TUYA cu <strong>Tasmota\/ESPHome<\/strong><\/li>\n\n\n\n<li>Blocheaz\u0103 complet <strong>IoT \u2192 Internet<\/strong> (doar control local)<\/li>\n\n\n\n<li>Segmentare granular\u0103: VLAN separat per <strong>tip de dispozitiv<\/strong><\/li>\n\n\n\n<li>Monitorizare <strong>NetFlow<\/strong> cu dashboard Grafana<\/li>\n\n\n\n<li>Audit trimestrial de securitate<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Exemple de configurare pentru routere populare<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">ASUS (RT-AX88U, RT-AX86U, etc.)<\/h3>\n\n\n\n<p><strong>Guest Network pentru IoT<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Wireless \u2192 Guest Network \u2192 Enable<\/li>\n\n\n\n<li>Nume: &#8220;Casa_IoT&#8221;<\/li>\n\n\n\n<li><strong>Access Intranet: Disable<\/strong> \u2705<\/li>\n\n\n\n<li>Access Time: Unlimited<\/li>\n\n\n\n<li>Apply<\/li>\n<\/ol>\n\n\n\n<p><strong>Firewall<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Firewall \u2192 General \u2192 Enable Firewall: Yes<\/li>\n\n\n\n<li><strong>Enable DoS protection<\/strong>: Yes<\/li>\n\n\n\n<li><strong>Respond ICMP Echo (ping) Request From WAN<\/strong>: No<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">TP-Link Archer (AX73, AX55, etc.)<\/h3>\n\n\n\n<p><strong>Guest Network<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Advanced \u2192 Guest Network \u2192 Create<\/li>\n\n\n\n<li><strong>Allow guests to access my local network<\/strong>: OFF \u2705<\/li>\n\n\n\n<li><strong>Allow guests to see each other<\/strong>: OFF \u2705<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">UniFi (Dream Machine, USG)<\/h3>\n\n\n\n<p><strong>Network Creation<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Settings \u2192 Networks \u2192 Create New Network<\/li>\n\n\n\n<li>Name: &#8220;IoT&#8221;<\/li>\n\n\n\n<li>VLAN ID: 30<\/li>\n\n\n\n<li><strong>Guest Policy<\/strong>: Apply \u2705<\/li>\n\n\n\n<li><strong>Block LAN Access<\/strong>: Enable \u2705<\/li>\n<\/ol>\n\n\n\n<p><strong>Firewall Rules<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Settings \u2192 Firewall &amp; Security \u2192 Create Rule<\/li>\n\n\n\n<li>Type: LAN In, Action: Drop<\/li>\n\n\n\n<li>Source: IoT Network<\/li>\n\n\n\n<li>Destination: LAN Network<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Mituri demontate<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Mit 1: &#8220;Trebuie s\u0103 renun\u021b la dispozitive TUYA&#8221;<\/h3>\n\n\n\n<p><strong>Realitate<\/strong>: Cu configurare corect\u0103, riscul e minim. Segmentarea elimin\u0103 80%+ din amenin\u021b\u0103ri.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mit 2: &#8220;Doar dispozitivele chineze\u0219ti sunt periculoase&#8221;<\/h3>\n\n\n\n<p><strong>Realitate<\/strong>: Orice IoT poate fi compromis. Amazon Ring, Google Nest au avut vulnerabilit\u0103\u021bi. Focusul: arhitectura re\u021belei, nu \u021bara produc\u0103torului.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mit 3: &#8220;Firewall-ul routerului e suficient&#8221;<\/h3>\n\n\n\n<p><strong>Realitate<\/strong>: Firewall-ul implicit protejeaz\u0103 WAN\u2192LAN, nu LAN\u2192LAN. Trebuie reguli custom pentru segmentare.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mit 4: &#8220;Actualiz\u0103rile firmware rezolv\u0103 totul&#8221;<\/h3>\n\n\n\n<p><strong>Realitate<\/strong>: Ajut\u0103, dar nu \u00eenlocuiesc segmentarea. Un dispozitiv actualizat, dar \u00een LAN plat, r\u0103m\u00e2ne risc.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mit 5: &#8220;E prea complicat pentru utilizatorul obi\u0219nuit&#8221;<\/h3>\n\n\n\n<p><strong>Realitate<\/strong>: Nivel 1 (SSID separat + AP Isolation) e fezabil pentru oricine \u00een 30 minute. Nivel 2-3 necesit\u0103 research, dar nu e rocket science.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Concluzie: Securitatea e un proces, nu un produs<\/h2>\n\n\n\n<p>Dispozitivele IoT, inclusiv TUYA, <strong>nu \u00ee\u021bi compromit automat re\u021beaua<\/strong>. Riscul real vine din:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lipsa segment\u0103rii (toate device-urile \u00een acela\u0219i LAN)<\/li>\n\n\n\n<li>Configur\u0103ri implicite nesigure (UPnP, WPS, parole slabe)<\/li>\n\n\n\n<li>Absen\u021ba monitoriz\u0103rii<\/li>\n<\/ul>\n\n\n\n<p><strong>Cu m\u0103surile din acest articol<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 Izolezi IoT de dispozitive personale \u2192 <strong>pivot imposibil<\/strong><\/li>\n\n\n\n<li>\u2705 Controlezi traficul c\u0103tre cloud \u2192 <strong>exfiltrare limitat\u0103<\/strong><\/li>\n\n\n\n<li>\u2705 Monitorizezi comportamentul \u2192 <strong>detectare rapid\u0103<\/strong><\/li>\n\n\n\n<li>\u2705 Actualizezi \u0219i auditezi \u2192 <strong>suprafa\u021b\u0103 de atac minim\u0103<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Mesajul final<\/strong>: Nu e vorba de &#8220;China&#8221; sau &#8220;TUYA&#8221;. E vorba de <strong>arhitectura re\u021belei tale<\/strong>. Implementeaz\u0103 m\u0103car Nivel 1 din checklist \u0219i vei fi cu ani lumin\u0103 \u00eenaintea majorit\u0103\u021bii utilizatorilor casnici.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Resurse suplimentare<\/h2>\n\n\n\n<p><strong>Documenta\u021bie tehnic\u0103<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.home-assistant.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Home Assistant<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/pi-hole.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">Pi-hole<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/tasmota.github.io\/docs\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tasmota<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.zigbee2mqtt.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Zigbee2MQTT<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Ai \u00eentreb\u0103ri sau vrei configurare personalizat\u0103 pentru echipamentele tale?<\/strong> Scrie \u00een comentarii modelul routerului \u0219i ce dispozitive IoT ai \u2013 \u00ee\u021bi raspund la fiecare !<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mul\u021bi utilizatori ezit\u0103 s\u0103 instaleze dispozitive smart TUYA de teama c\u0103 &#8220;dau acces Chinei la re\u021beaua lor intern\u0103&#8221;. Realitatea e mai nuan\u021bat\u0103: riscurile IoT exist\u0103 indiferent de produc\u0103tor, iar protec\u021bia eficient\u0103 \u021bine de configurarea corect\u0103 a re\u021belei tale. \u00cen acest articol \u00ee\u021bi ar\u0103t exact cum pot fi abuzate aceste dispozitive \u0219i, mai important, cum s\u0103 &#8230; <a title=\"Dispozitivele TUYA \u00ee\u021bi compromit re\u021beaua? Cum te protejezi REAL de atacuri IoT\" class=\"read-more\" href=\"https:\/\/www.dioda.ro\/blog\/electronica\/dispozitivele-tuya-iti-compromit-reteaua-cum-te-protejezi-real-de-atacuri-iot\/\" aria-label=\"Read more about Dispozitivele TUYA \u00ee\u021bi compromit re\u021beaua? Cum te protejezi REAL de atacuri IoT\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":1809,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[],"class_list":["post-1808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-electronica"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/www.dioda.ro\/blog\/wp-content\/uploads\/2025\/10\/a93e0c81-cac7-4b14-90d6-bb0e00e38b36.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8WdYv-ta","jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/posts\/1808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/comments?post=1808"}],"version-history":[{"count":2,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/posts\/1808\/revisions"}],"predecessor-version":[{"id":1814,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/posts\/1808\/revisions\/1814"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/media\/1809"}],"wp:attachment":[{"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/media?parent=1808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/categories?post=1808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dioda.ro\/blog\/wp-json\/wp\/v2\/tags?post=1808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}